British Airways has suffered a data breach, with critical information on hundreds of thousands of its users being stolen by hackers. The company confirmed the breach, saying it was done by a “very sophisticated, malicious criminal”.
In total, 380,000 accounts were compromised, the company said, with hackers stealing names, street and email addresses, credit card numbers and expiry dates, as well as security codes, through the company website and app.
The theft of this information occurred over a two-week period, it was said, starting on August 21, and ending on September 5, when it was finally discovered.
Chief Executive Alex Cruz said the carrier was “deeply sorry” for the disruption.
“There were other methods, very sophisticated efforts, by criminals in obtaining the data,” he told BBC radio. “It was having access to our systems in an illicit way, it was very sophisticated.”
Cruz added that whoever lost out financially, would be compensated for their loss.
- Check out our best identity theft protection buying guide as well as our best antivirus leaderboard.
Will BA be hit by GDPR?
Paul Farrington, Head of EMEA at app security company CA Veracode also warns that things are different now, with GDPR in force.
“With GDPR now in full force the board at BA will have to consider their exposure to regulatory fines, especially when it took 16 days for the breach to be detected, and if the financial losses will outstrip what it would have cost to prevent the breach in the first place.”
“IT issues are not only affecting BA, but also in the wider airline industry. Airlines have a duty to keep the planes in the air, and the majority of investment goes into that. However, recent outages show investment should also be directed at technology. As airlines become ever more dependent on software, this creates a greater surface for hackers to attack and so it is no surprise that breaches of this scale are becoming commonplace.”
Malwarebytes’s Lead Malware Analyst Chris Boyd says it’s interesting to see a company providing such a specific time range for the attack. It’s not something that usually happens:
"The only good thing we can say about this breach is that BA have provided a very short and specific date range where data may have been compromised. Typically, we're lucky to get a date range of less than six months to a year, which makes a potential victim's response to any threat difficult. This could end up being a major test of new GDPR regulations, and it'll be fascinating to see the cause of the breach come out in the wash."